This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 1052440

Summary: CVE-2014-0022 yum: yum-cron installs unsigned packages [fedora-all]
Product: [Fedora] Fedora Reporter: Gabriel VLASIU <gabriel>
Component: yumAssignee: packaging-team-maint
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 19CC: admiller, extras-orphan, ffesti, firas.alkafri, james.antill, notting, packaging-team-maint, yersinia.spiros, zpavlas
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: noarch   
OS: Linux   
Whiteboard:
Fixed In Version: yum-3.4.3-132.fc19 Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of:
: 1052994 1053202 (view as bug list) Environment:
Last Closed: 2014-01-17 23:27:09 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 1057377    

Description Gabriel VLASIU 2014-01-13 15:15:42 EST
Description of problem:
yum-cron install unsigned packages. This is not acceptable!

Version-Release number of selected component (if applicable):
yum-cron-3.4.3-128.fc19.noarch

Steps to Reproduce:
$ rpmbuild -ba testrpm.spec 
...
Wrote: /home/someuser/work/rpm/SRPMS/testrpm-1.0-1.f19g.src.rpm
Wrote: /home/someuser/work/rpm/RPMS/noarch/testrpm-1.0-1.f19g.noarch.rpm
...
+ exit 0

$ rpmsign --addsign /home/someuser/work/rpm/RPMS/noarch/testrpm-1.0-1.f19g.noarch.rpm
Enter pass phrase: 
Pass phrase is good.
/home/someuser/work/rpm/RPMS/noarch/testrpm-1.0-1.f19g.noarch.rpm:

$ yum -y install /home/someuser/work/rpm/RPMS/noarch/testrpm-1.0-1.f19g.noarch.rpm
...
$ rpm -q testrpm
testrpm-1.0-1.f19g.noarch

$ rpmbuild -ba testrpm.spec 
...
Wrote: /home/someuser/work/rpm/SRPMS/testrpm-1.1-1.f19g.src.rpm
Wrote: /home/someuser/work/rpm/RPMS/noarch/testrpm-1.1-1.f19g.noarch.rpm
...
+ exit 0

$ mkdir ~/testrepo
$ cd ~testrepo
$ cp /home/someuser/work/rpm/RPMS/noarch/testrpm-1.1-1.f19g.noarch.rpm .
$ createrepo .
...

$ grep gpgcheck=0 /etc/yum.conf /etc/yum.repos.d/*
$ cat 
[test]
name=test
baseurl=file:///home/someuser/testrepo
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-test
gpgcheck=1
enabled=1

Wait for yum-cron to run via crontab. The email received from cron daemon look like this:

From: Cron Daemon <root@xxxx>
To: root@xxxx
Subject: Cron <root@xxxx> run-parts /etc/cron.hourly

/etc/cron.hourly/0yum-hourly.cron:

Loaded plugins: fastestmirror, post-transaction-actions, priorities,
              : protectbase, remove-with-leaves, rpm-warm-cache, versionlock
Loading mirror speeds from cached hostfile
...
0 packages excluded due to repository protections
Package testrpm-1.1-1.f19g.noarch.rpm is not signed

$ rpm -q testrpm
testrpm-1.1-1.f19g.noarch

$ rpm -ev testrpm
Preparing packages...
testrpm-1.1-1.f19g.noarch

[root@imhotep ~]# yum -y install testrpm
...
--> Running transaction check
---> Package testrpm.noarch 0:1.1-1.f19g will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package            Arch              Version               Repository     Size
================================================================================
Installing:
 testrpm            noarch            1.1-1.f19g            test          1.9 k

Transaction Summary
================================================================================
Install  1 Package

Total size: 1.9 k
Installed size: 0  
Downloading packages:


Package testrpm-1.1-1.f19g.noarch.rpm is not signed


Actual results:
yum-cron install unsigned packages.

Expected results:
yum-cron should not install unsigned packages.

Additional info:
Comment 1 Zdeněk Pavlas 2014-01-14 09:44:52 EST
Confirmed, thanks for the report. Looks like an easy fix.

http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=9df69e579496ccb6df5c3f5b5b7bab8d648b06b4
Comment 2 Gabriel VLASIU 2014-01-14 14:42:41 EST
> Confirmed, thanks for the report. Looks like an easy fix.
> 
> http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;
> h=9df69e579496ccb6df5c3f5b5b7bab8d648b06b4
Thank you. Your patch works for me.
Comment 3 Fedora Update System 2014-01-15 06:06:22 EST
yum-3.4.3-130.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/yum-3.4.3-130.fc20
Comment 4 Fedora Update System 2014-01-15 11:09:52 EST
yum-3.4.3-130.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/yum-3.4.3-130.fc19
Comment 5 Fedora Update System 2014-01-16 02:07:14 EST
Package yum-3.4.3-130.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing yum-3.4.3-130.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-0928/yum-3.4.3-130.fc20
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2014-01-17 23:27:09 EST
yum-3.4.3-130.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-01-22 06:09:16 EST
yum-3.4.3-132.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/yum-3.4.3-132.fc19
Comment 8 Fedora Update System 2014-02-05 22:53:15 EST
yum-3.4.3-132.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.